ci: limit job permissions from default (#9874)

Signed-off-by: Alex <[email protected]>

.github/workflows/ci.yml

@@ -22,6 +22,9 @@ env:
   DESTDIR: "./bin"
   DOCKER_CLI_VERSION: "20.10.17"
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   prepare:
     runs-on: ubuntu-latest
@@ -182,6 +185,9 @@ jobs:
           make e2e-compose-standalone
 
   release:
+    permissions:
+      contents: write # to create a release (ncipollo/release-action)
+
     runs-on: ubuntu-latest
     needs:
       - binary

.github/workflows/docs.yml

@@ -4,8 +4,13 @@ on:
   release:
     types: [published]
 
+permissions: {}
 jobs:
   open-pr:
+    permissions:
+      contents: write # to create branch (peter-evans/create-pull-request)
+      pull-requests: write # to create a PR (peter-evans/create-pull-request)
+
     runs-on: ubuntu-latest
     steps:
       -

.github/workflows/merge.yml

@@ -12,6 +12,9 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   e2e:
     name: Build and test